From c2e05bec5df75269b3eefeea106985b7da0e7c58 Mon Sep 17 00:00:00 2001
From: Matthew Feickert <matthew.feickert@cern.ch>
Date: Wed, 22 May 2024 08:48:53 -0500
Subject: [PATCH] ci: Add GitHub artifact attestations to package distribution
 (#470)

* Add generation of GitHub artifact attestations to built sdist and wheel
  before upload.
  c.f.:
   - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
   - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
* Add verification of artifact attestation before publishing vector to PyPI
  using the 'gh attestation verify' CLI API, added in v2.49.0.
   - c.f. https://github.com/cli/cli/releases/tag/v2.49.0
---
 .github/workflows/cd.yml | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 60451bbd..c7a4b16a 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -9,6 +9,10 @@ on:
 jobs:
   dist:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:
@@ -17,13 +21,18 @@ jobs:
       - name: Build SDist and wheel
         run: pipx run build
 
+      - name: Check metadata
+        run: pipx run twine check dist/*
+
+      - name: Generate artifact attestation for sdist and wheel
+        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+        with:
+          subject-path: "dist/vector-*"
+
       - uses: actions/upload-artifact@v4
         with:
           path: dist/*
 
-      - name: Check metadata
-        run: pipx run twine check dist/*
-
   publish:
     needs: [dist]
     runs-on: ubuntu-latest
@@ -40,4 +49,17 @@ jobs:
           name: artifact
           path: dist
 
+      - name: List distributions to be deployed
+        run: ls -l dist/
+
+      - name: Verify sdist artifact attestation
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh attestation verify dist/vector-*.tar.gz --repo ${{ github.repository }}
+
+      - name: Verify wheel artifact attestation
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh attestation verify dist/vector-*.whl --repo ${{ github.repository }}
+
       - uses: pypa/gh-action-pypi-publish@release/v1